Posted
by
timothy
on Wednesday April 13, 2011 @02:50AM
from the governments-should-be-afraid-of-their-citizens dept.

An anonymous reader writes "Russia's Federal Security Service (FSB) has backed away from its call for a ban on Skype, Gmail and Hotmail, first voiced on Friday. On 8 April, FSB official Alexander Andreyechkin said foreign-based services that allowed for encrypted communications posed a security problem for Russia. 'The uncontrollable use of such services can lead to a major threat to Russia's security,' Andreyechkin reportedly said at a government meeting."

Also the language used is a bit prejudicial. Did the US "back down" on its decision to ban exports of strong algorithms or did it reconsider? Historically did they "back down" on segregation laws, or come to a greater understanding of equality?

The US is so free you thoughtcrime yourself out in blogs, emails, phonecalls, web 2.0 ect. The urge to spread the message, find others, share and build is very powerful. If you do use encryption, the trail is even more clear and task force/federal interest builds.
The only thing that makes people really sit up is old court cases where they see the use of hardware and software to get around any level of encryption.
Russia seems to have learned this, spread the tools, understand the web 2.0/free tools, t

It's entirely appropriate to ban such services' use in government communications. And any firm of significant size would hopefully implement a similar policy. But if kids want to use Gmail to speak to their friends, I think the government would be better placed to suceed with education than with a ban.

The proposed ban was not against use in government communications. They need pass no law to achieve that, an executive order would be enough. The proposed ban was against any and all encrypted communications within the territory of Russia where the government has no key escrow. That includes Skype, Gmail, SSL, and plenty of other things.

There's no education issue here, unless what you mean is that they want to 'educate' Russian students about the benefit of alternatives to Skype and Gmail that the Russian government can intercept.

They need pass no law to achieve that, an executive order would be enough.

I'm not sufficiently familiar with the current Russian legal system. Would no legislative action be needed to require all government employees and contractors to only communicate work details through government-approved systems?

The proposed ban was against any and all encrypted communications within the territory of Russia where the government has no key escrow.

So the outcome could have been an agreement with Google etc. Either way, use of US services exposes users to snooping from the US government. I don't see any evidence that the people benefit.

There's no education issue here, unless what you mean is that they want to 'educate' Russian students about the benefit of alternatives to Skype and Gmail that the Russian government can intercept.

Or, educating Russian students about the benefit of alternatives to Skype and Gmail that the

They need pass no law to achieve that, an executive order would be enough.

I'm not sufficiently familiar with the current Russian legal system. Would no legislative action be needed to require all government employees and contractors to only communicate work details through government-approved systems?

The president has quite a lot of power in Russia, and can pass "directive" without any sort of legislative review, so long as it does not go against an existing law or the constitution.

There are more people in the world who distrust the US government than there are people who distrust the Russian government - and if the choice was between a system secured from Russia and a system secured from the US, many would choose the latter.

So you're saying that people should be educated on just how bad the Russian government is?

Recall also that a determined Russian official would use the physical presence of a suspect to keylog / warrant search / otherwise anyway, so the value of protection against some form of snooping from one's own government is diminished vs the value of protection against snooping from foreigners.

They don't want to spy on one person, they want to spy on all people, at the same time. Then they find anyone interesting, gather evidence on them (or plant it) and remove them from being a future problem (permanently if need be). The US may if they really care enough take you to court, the Russians will simply kill you. And there's a lot more things a Russian does that interest the Russian government than there are th

They don't want to spy on one person, they want to spy on all people, at the same time. Then they find anyone interesting, gather evidence on them (or plant it) and remove them from being a future problem (permanently if need be). The US may if they really care enough take you to court, the Russians will simply kill you.

Isn't it great when we have some random person on the Internet who is able to paste directly from top-level government strategy manuals! Oh, wait, you're just making stuff up to fit your prejudices.

Fortunately, no-one in the US is killed by cops or subject to an unfair judicial process. And the US military is barely responsible for killing a single human over the last decade.

Look, we can all agree the Russian government is scary. It's just not as scary as the US government. Especially not for foreigners.

Also, if you cannot figure out what the Russian government wants by explicitly banning encrypted applications rather than applications that store data in the US then you're an idiot. Your argument is about the later while the former is what's happening (and among other things the later is actually easier for the US to spy on).

As far as I can tell, there is a desire is to ban systems which the Russian government cannot easily eavesdrop on, but there is no aim at "banning encrypted applications".

There are so many examples in the US where the government is keen for you to secure your affairs from crime and hostile foreign involvement - as long as you don't secure them from the US government. For example, you're allowed to keep your money in a bank but the bank is required to report transactions which are "suspicious".

As far as I can tell, there is a desire is to ban systems which the Russian government cannot easily eavesdrop on, but there is no aim at "banning encrypted applications".

Why am I thinking of the "Clipper" fiasco of a few POTUS ago? That couldn't happen here, surely? (For many values of "here", including both American non-American values. And Russian values of "here", too.)

There is a fundamental problem in cryptography that users don't want to remember keys. So cryptosystems become only as secure as the master server that checks the users login and manages the mapping from user accounts to temporary keys that are generated for each session . Afaict skype falls into this category and as such it would be pretty trivial for the owners of skype to MITM their users communications.

If you really want security you need to use a cryptosystem where you manage the keys yourself and take

Sorry that should have said it is at best as secure as the LEAST secure CA. In practice it is likely to be worse than the worst individual CA because different CAs may be susceptible to different hackers/blackmailers/etc.

Who needs backdoors or ability to hack keys or snoop traffic when you have a login with appropriate access privileges on the box. SSL, etc is only protected what is sent between you and the server whilst it is in transit, if the bad guy has root (or similar) on the remote box, all bets are off.

Ok, well, rather than take the default "Democracy let loose the Freedom Bombs LOLZ" viewpoint...is the FSB correct? Can the use of Google become a threat to Russia's security? Yes or no? And if yes, then what are the appropriate steps that Russia should take to secure itself? Let's all remember that Google is no mere provider of neutral information services...as an American corporation Google has been, sadly, repeatedly guilty of overt acts that can only be labeled as pro-American.

I am sure, Russian government would have a problem if, say, all responses to email of some military contractor's employee ended up going unencrypted through routers where traffic is routinely intercepted by US government. The fact that even without any (supposedly illegal) interception Google will also inevitably collect statistics about the content and will probably "patriotically" turn the content to the US government if anything "interesting" will show up in statistics, is just icing on the cake.

Government arrogance never ceases to amaze me. Whether is be Russia US or anyone else. All governments exhibit the same sick arrogance that the citizens whom they "protect" should not be in any way protected from themselves.